designing correct concurrent applications : a verification overview
DESCRIPTION
Designing Correct Concurrent Applications : A verification Overview. Eran Yahav. Previously…. An algorithmic view Abstract data types (ADT) Correctness Conditions Sequential consistency Linearizability Treiber’s stack Atomic Snapshot. Today. A verification view - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/1.jpg)
DESIGNING CORRECT CONCURRENT APPLICATIONS: A VERIFICATION OVERVIEWEran Yahav
![Page 2: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/2.jpg)
2
Previously…
An algorithmic view Abstract data types (ADT) Correctness Conditions
Sequential consistency Linearizability
Treiber’s stack Atomic Snapshot
![Page 3: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/3.jpg)
Today
A verification view Assigning meaning to programs Trace semantics Properties
Abstract data types (ADT) Sequential ADTs over traces Concurrent ADTs?
Correctness Conditions Sequential consistency Linearizability
Treiber’s stack Atomic Snapshot
![Page 4: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/4.jpg)
4
Overview of Verification Techniques
“The desire for brevity combined with a poor memory has led me to omit a great deal of significant work” -- Lamport
![Page 5: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/5.jpg)
5
What is the “meaning” of a program?
int foo(int a ) { if( 0 < a < 5) c = 42 else c = 73; return c;}
int a() { printf(“a”); return 1; }int b() { printf(“b”); return 2; }int c() { printf(“c”); return 3; }int sum(int x, int y, int z) { return x+y+z; } void bar() { printf(“%d”, sum(a(),b(),c());}
![Page 6: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/6.jpg)
6
Semantics
“mathematical models of and methods for describing and
reasoning about the behavior of programs”
![Page 7: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/7.jpg)
7
Why Formal Semantics?
implementation-independent definition of a programming language
automatically generating interpreters (and some day maybe full fledged compilers)
verification and debugging if you don’t know what it does, how do
you know its incorrect?
![Page 8: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/8.jpg)
8
Different Approaches
Denotational Semantics define an input/output relation that assigns
meaning to each construct (denotation)
Structural Operational Semantics define a transition system, transition relation
describes evaluation steps of a program
Axiomatic Semantics define the effect of each construct on logical
statements about program state (assertions)
![Page 9: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/9.jpg)
9
Denotational Semantics
λx.2*x
λx.2*x
int double1(int x) { int t = 0; t = t + x; t = t + x; return t;}
int double2(int x) { int t = 2*x; return t;}
![Page 10: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/10.jpg)
10
Operational Semanticsint double1(int x) { int t = 0; t = t + x; t = t + x; return t;}
int double2(int x) { int t = 2*x; return t;}
[t 0, x 2]
x 2
[t 2, x 2]
[t 4, x 2]
[t 4, x 2]
[t 4, x 2]
![Page 11: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/11.jpg)
11
Axiomatic Semantics
int double1(int x) { { x = x0 }
int t = 0; { x = x0 t = 0 }
t = t + x; { x = x0 t = x0 }
t = t + x; { x = x0 t = 2*x0 }
return t;}
int double2(int x) { { x = x0 } int t = 2*x; { x = x0 t = 2*x0 } return t;}
![Page 12: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/12.jpg)
12
Relating Semantics
![Page 13: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/13.jpg)
What is the “meaning” of this program?
[y := x]1;[z := 1]2;while [y > 0]3 ( [z := z * y]4; [y := y − 1]5; )[y := 0]6
![Page 14: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/14.jpg)
14
what is the “meaning” of an arithmetic expression?
z * y y – 1
First: syntax of simple arithmetic expressions
For now, assume no variables a ::= n
| a1 + a2 | a1 – a2 | a1 * a2 | (a1)
![Page 15: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/15.jpg)
15
Structural Operational Semantics
Defines a transition system (,,T) configurations : snapshots of current
state of the program transitions : steps between
configurations final configurations T
1 2
34
= { 1, 2, 3, 4 }
= { (1,2), (1,4), (2,3) }
T = { 3, 4 }
![Page 16: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/16.jpg)
16
We write ’ when (,’)
* denotes the reflexive transitive closure of the relation *’ when there is a sequence
=0 1 … n = ’ for some n 0
Structural Operational SemanticsUseful Notations
![Page 17: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/17.jpg)
17
Big-step vs. Small-step
Big-step ’ describes the entire computation ’ is always a terminal configuration
Small-step ’ describes a single step of a larger
computation ’ need not be a terminal configuration
pros/cons to each big-step hard in the presence of concurrency
![Page 18: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/18.jpg)
18
Simple Arithmetic Expressions(big step semantics)
[Plus] a1 v1 a2 v2
a1 + a2 v
where v = v1 + v2
a v means “expression a evaluates to the value v”
a AExp , v Z
conclusion
premisesside
condition
![Page 19: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/19.jpg)
19
Simple Arithmetic Expressions(big step semantics)
[Plus] a1 v1 a2 v2
a1 + v1 v
where v = v1 + v2
[Minus] a1 v1 a2 v2
a1 - v1 v
where v = v1 - v2
[Mult] a1 v1 a2 v2
a1 * v1 v
where v = v1 * v2
[Paren] a1 v1
(a1) v
[Num] n v if Nn = v
![Page 20: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/20.jpg)
20
Transition system (,,T) configurations = AExp Z transitions : defined by the
rules on the previous slide final configurations T = Z
Transitions are syntax directed
Simple Arithmetic Expressions(big step semantics)
![Page 21: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/21.jpg)
21
Derivation Tree
show that (2+4)*(4+3) 42
2 2 4 42 + 4 6
4 4 3 34 + 3 7
2 + 4 6(2 + 4) 6
4 + 3 7(4 + 3) 7
(2+4) 6 (4 + 3) 7 (2+4)*(4 + 3) 42
2 2 4 4 4 4 3 3
![Page 22: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/22.jpg)
22
[Plus-1]
a1 a1’
a1 + a2 a1’ + a2
[Plus-2]
a2 a2’
a1 + a2 a1 + a2’
[Plus-3] v1 + v2 v where v = v1+ v2
Simple Arithmetic Expressions(small step semantics)
• intermediate values • intermediate configurations
![Page 23: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/23.jpg)
23
Small Step and Big Step
0 1 1 2 2 3
0 3
small step
big step
![Page 24: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/24.jpg)
24
The WHILE Language: SyntaxA AExp arithmetic expressionsB BExp boolean expressionsS Stmt statements
Var set of variablesLab set of labelsOpa arithmetic operatorsOpb boolean operatorsOpr relational operators
a ::= x | n | a1 opa a2
b ::= true | false | not b | b1 opb b2 | a1 opr a2
S ::= [x := a]lab | [skip]lab
| S1;S2 | if [b]lab then S1 else S2 | while [b]lab do S
(We are going to abuse syntax later for readability)
![Page 25: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/25.jpg)
25
The WHILE Language: Structural Operational Semantics
• State = Var Z• Configuration: • <S, > • for terminal configuration
• Transitions:• <S, > <S’, ’>• <S, > ’
Both the statement that remains to be executed,
and the state, can change
![Page 26: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/26.jpg)
26
The WHILE Language: Structural Operational Semantics
Transition system (,,T) configurations
= (Stmt State) State transitions final configurations T = State
![Page 27: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/27.jpg)
27
The WHILE Language: Structural Operational Semantics
(Table 2.6 from PPA)
[seq1] <S1 , > <S’1, ’>
<S1; S2, > < S’1; S2, ’>
[seq2] <S1 , > ’
<S1; S2, > < S2, ’>
<[x := a]lab, > [x Aa][ass]
<[skip]lab, > [skip]
![Page 28: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/28.jpg)
28
The WHILE Language: Structural Operational Semantics
(Table 2.6 from PPA)
<if [b]lab then S1 else S2, > <S1, > if Bb = true[if1]
<if [b]lab then S1 else S2, > <S2, > if Bb = false[if2]
<while [b]lab do S, > <(S; while [b]lab do S), > if Bb = true[wh1]
<while [b]lab do S, > if Bb = false[wh1]
![Page 29: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/29.jpg)
29
Derivation Sequences
Finite derivation sequence A sequence <S0, 0>… n
<Si, i> <Si+1, i+1>
n terminal configuration
Infinite derivation sequence A sequence <S0, 0>…
<Si, i> <Si+1, i+1>
![Page 30: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/30.jpg)
30
Termination in small-step semantics1: while (0 = 0) (2: skip;)
< while [0 = 0]1 ([skip]2), >
< [skip]2;while [0 = 0]1 ([skip]2), >
< while [0 = 0]1 ([skip]2), >
< [skip]2;while [0 = 0]1 ([skip]2), > …
![Page 31: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/31.jpg)
31
We say that S terminates from a start state when there exists a state ’ such that <S,> * ’
Termination in small-step semantics
![Page 32: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/32.jpg)
32
Termination in big-step semantics
what would be the transition in the big-step semantics for this example?
while [0 = 0]1 ([skip]2;)
![Page 33: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/33.jpg)
33
Semantic Equivalence
formal semantics enables us to reason about programs and their equivalence
S1 and S2 are semantically equivalent when for all and ’ <S1,> * ’ iff <S2,> * ’
We write S1 S2 when S1 and S2 are semantically equivalent
![Page 34: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/34.jpg)
34
Abnormal Termination
add a statement abort for aborting execution in the big-step semantics
while (0=0) skip; abort big-step semantics does not distinguish
between abnormal termination and infinite-loops
in the small-step semantics while (0=0) skip; abort
but we can distinguish the cases if we look at the transitions <abort,> 0 <abort,> infinite trace of skips
![Page 35: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/35.jpg)
What is the “meaning” of this program?
[y := x]1;[z := 1]2;while [y > 0]3 ( [z := z * y]4; [y := y − 1]5; )[y := 0]6
now we can answer this question using derivation sequences
![Page 36: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/36.jpg)
36
Example of Derivation Sequence[y := x]1;[z := 1]2;while [y > 0]3 ([z := z * y]4;[y := y − 1]5; )[y := 0]6
< [y := x]1;[z := 1]2;while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y0, z0 } >
< [z := 1]2;while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z0 } >
< while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z1 } >
< ([z := z * y]4;[y := y − 1]5;);while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z1 }> …
![Page 37: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/37.jpg)
37
Traces< [y := x]1;[z := 1]2;while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y0, z0 } >
< [z := 1]2;while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z0 } >
< while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z1 } >
< ([z := z * y]4;[y := y − 1]5;);while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z1 }> …
< [y := x]1;[z := 1]2;while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y0, z0 } >
< [z := 1]2;while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z0 } >
< while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z1 } >
< ([z := z * y]4;[y := y − 1]5;);while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z1 }> …
[y := x]1
[z := 1]2
[y > 0]3
![Page 38: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/38.jpg)
38
Traces< [y := x]1;[z := 1]2;while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y0, z0 } >
< [z := 1]2;while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z0 } >
< while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z1 } >
< ([z := z * y]4;[y := y − 1]5;);while [y > 0]3 ([z := z * y]4;[y := y − 1]5;)[y := 0]6,{ x42, y42, z1 }> …
[y := x]1
[z := 1]2
[y > 0]3
< 1,{ x42, y0, z0 } >
< 2,{ x42, y42, z0 } >
< 3,{ x42, y42, z1 } >
< 4,{ x42, y42, z1 }> …
[y := x]1
[z := 1]2
[y > 0]3
![Page 39: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/39.jpg)
39
Traces
< 1,{ x42, y0, z0 } >
< 2,{ x42, y42, z0 } >
< 3,{ x42, y42, z1 } >
< 4,{ x42, y42, z1 }> …
[y := x]1
[z := 1]2
[y > 0]3
![Page 40: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/40.jpg)
40
Trace Semantics
In the beginning, there was the trace semantics…
note that input (x) can be anything clearly, the trace semantics is not computable
[y := x]1;[z := 1]2;while [y > 0]3 ([z := z * y]4;[y := y − 1]5; )[y := 0]6 …
< 1,{ x42, y0, z0 } > < 2,{ x42, y42, z0 } >
< 3,{ x42, y42, z1 } > < 4,{ x42, y42, z1 }> …
[y := x]1 [z := 1]2
[y > 0]3
< 1,{ x73, y0, z0 } > < 2,{ x73, y73, z0 } >
< 3,{ x73, y73, z1 } > < 4,{ x73, y73, z1 }> …
[y := x]1 [z := 1]2
[y > 0]3
![Page 41: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/41.jpg)
41
Specification
Set of traces that satisfy the property
![Page 42: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/42.jpg)
42
Abstract Data Types
Raise the level of abstraction Work on (complex) data types as if
their operations are primitive operations
What does it mean technically?
client ADT
![Page 43: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/43.jpg)
43
Hiding ADT implementation
What should we require from the ADT? When can we replace one ADT implementation
with another ADT implementation?
All operations exposed
Hiding ADT operation
Client steps Client stepsADT steps
Client steps Client stepsADT big step
![Page 44: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/44.jpg)
44
Splitting Specification between Client and ADT
Specify the requirements from an ADT
Show that an ADT implementation satisfies its spec
Verify a client using the ADT specification (“big step”) instead of using/exposing its internal implementation
![Page 45: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/45.jpg)
45
ADT Specification
Typically: each operation specified using precondition/postcondition
(implicitly: the meaning is the set of traces that satisfy the pre/post)
Effect Return value
Insert(a) S’ = S U { a}
a S
Remove(a) S = S \ { a }
a S
Contains(a) a S
Example: operations over a set ADT
![Page 46: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/46.jpg)
46
ADT Verification
Show that the implementation of each operation satisfies its spec
Simple example: counter ADT
int tick() { t = val val = t+1 return t}
Effect Return value
tick()
C’ = C + 1
C
![Page 47: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/47.jpg)
47
Client Verification
Module three-ticks { Counter c = new Counter(); int bigtick() { c.tick(); c.tick(); t = c.tick(); return t; }}
Regardless of how the counter ADT is implemented, client verification can reason at the level of ADT operations
Client steps Client stepsADT steps
returntick tick tick
before after
Clear notion of before/after an ADT operation
![Page 48: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/48.jpg)
48
Client Verification
Module three-ticks { Counter c = new Counter(); int bigtick() { { c.value = prev } c.tick(); { c.value = prev + 1 } c.tick(); { c.value = prev + 2 } t = c.tick(); { c.value = prev + 3, t = prev + 2 } return t; }}
![Page 49: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/49.jpg)
49
Adding concurrency
How do we tell the client what it can assume about the ADT?
No clear notion of “before” and “after” an operation When can we check the precondition
and guarantee that the postcondition holds?
When operations are not atomic, there is possible overlap
![Page 50: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/50.jpg)
50
Two views
“Lamportism” – there should be a global invariant of the system that holds on every step
“Owicki-Gries-ism” – generalize sequential pre/post proofs to concurrent setting
Really, having a local invariant at a program point (taking into account the possible states of other threads)
![Page 51: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/51.jpg)
51
ADT Verification
Not true anymore, depends on other tick() operations that may be running concurrently
int tick() { t = val val = t+1 return t}
Effect Return value
tick()
C’ = C + 1
C
![Page 52: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/52.jpg)
52
ADT Verification
int tick() { t = val val = t+1 return t}
Effect Return value
tick()
C’ = C + 1
C
val = 0
t = val val = t+1
t = val val = t + 1
return t = 0
return t = 0
T1
T2
![Page 53: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/53.jpg)
Concurrent Counter
int tick() { lock(L) t = val val = t+1 unlock(L) return t}
val = 0
t = valval = t+1
t = val
ret t = 0
lock(L)
lock(L) unlock(L)T1
T2
53
![Page 54: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/54.jpg)
54
What guarantees can the ADT provide to clients?
Linearizability If operations don’t overlap, you can
expect same effect as serial execution When operations overlap, you can expect
some serial witness (with a potentially different ordering of operations)
Correctness does not depend on other operations/object used in the client Locality
![Page 55: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/55.jpg)
Optimistic Concurrent Counter
bool CAS(addr, old, new) { atomic { if (*addr == old) { *addr = new; return true; } else return false; }}
int tick() { restart: old = val new = old + 1 if CAS(&val,old,new) return old else goto restart return t}
• Only restart when another thread changed the value of “val” concurrently• Lock-free (but not wait-free)• CAS in operation fails only when another operation succeeds• note: failed CAS has no effect
55
![Page 56: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/56.jpg)
tick / 0
tick / 0
tick / 1
tick / 1
tick / 0
Correctness of the Concurrent Counter Linearizability [Herlihy&Wing 90]
Counter should give the illusion of a sequential counter
tick / 1
tick / 0tick / 1
T1
T2
T1 T1
T2
Tick / 1
Tick / 0
T1
T2
T1 T1
T2
tick / 0
tick / 0
56
![Page 57: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/57.jpg)
57
References
“Transitions and Trees” / Huttel “Principles of Program Analysis” /
Nielson, Nielson, and Hankin
![Page 58: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/58.jpg)
58
Backup slides
![Page 59: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/59.jpg)
59
Client Verification
int bigtick() { { c.value = prev } c.tick(); { c.value = prev + 1 } c.tick(); { c.value = prev + 2 } t = c.tick(); { c.value = prev + 3, t = prev + 2 } return t;}
int bigtick() { { c.value = prev } c.tick(); { c.value = prev + 1 } c.tick(); { c.value = prev + 2 } t = c.tick(); { c.value = prev + 3, t = prev + 2 } return t; }
Now what?
![Page 60: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/60.jpg)
60
Determinacy
We would like the big-step semantics of arithmetic expressions to be deterministic a v1 and a v2 then v1 = v2
induction on the height of the derivation tree (“transition induction”) show that rules for roots are
deterministic show that transition rules are
deterministic
![Page 61: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/61.jpg)
61
Determinacy
Is the small-step semantics of arithmetic expressions deterministic?
we want if a v1 and a v2 then v1 = v2
but we have, for example 2 +3 2 + 3 2 + 3 2 + 3
![Page 62: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/62.jpg)
62
Arithmetic Expressions
A: AExp (State Z)
Ax = (x)
An = Nn
Aa1 op a2 = Aa1 op Aa2
![Page 63: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/63.jpg)
63
Boolean Expressions
B: BExp (State { true, false} )
Bnot b = Bb
Bb1 opb b2 = Bb1 opb Bb2
Ba1 opr a2 = Aa1 opr Aa2
![Page 64: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/64.jpg)
64
Derivation Tree
2 2 4 4
2 + 4 6
4 4 3 3
4 + 3 7
(2 + 4) 6
(4 + 3) 7
(2+4)*(4 + 3) 42
![Page 65: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/65.jpg)
65
Nondeterminismbig-step semantics
new language construct s1 OR s2
[OR1-BSS]
<S1 , > ’
<S1 OR S2, > ’
[OR2-BSS]
<S2 , > ’
<S1 OR S2, > ’
![Page 66: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/66.jpg)
66
Nondeterminismsmall-step semantics
[OR1-SSS] <S1 OR S2, > <S1,>
[OR1-SSS] <S1 OR S2, > <S2,>
![Page 67: Designing Correct Concurrent Applications : A verification Overview](https://reader035.vdocuments.net/reader035/viewer/2022070416/56815022550346895dbe08c2/html5/thumbnails/67.jpg)
67
Nondeterminism
(x = 1) OR while(0=0) skip;
big-step semantics suppresses infinite loops
small step semantics has the infinite sequence created by picking the while<(x = 1) OR while(0=0) skip;,> <while(0=0) skip;,> …